Method and apparatus for selectively enforcing network security policies using group identifiers

Abstract

A method and apparatus for selectively enforcing network security policy using group identifiers are disclosed. One or more access controls are created and stored in a policy enforcement point that controls access to the network, wherein each of the access controls specifies that a named group is allowed access to a particular resource. A binding of a network address to an authenticated user of a client, for which the policy enforcement point controls access to the network, is created and stored. The named group is updated to include the network address of the authenticated user at the policy enforcement point. A packet flow originating from the network address is permitted to pass from the policy enforcement point into the network only if the network address is in the named group identified in one of the access controls that specifies that the named group is allowed access to the network. Accordingly, network security may be implemented in the form of abstract groups that include specific network addresses; as a result, users may be allowed or denied access to network addresses by updating membership of the groups to include or delete the network addresses of the users, rather than by creating or deleting access controls that specifically identify the users.

Description

FIELD OF INVENTION[0001]The present invention generally relates to enforcing security in a network. The invention relates more specifically to a method and apparatus for selectively enforcing network security policy using group identifiers.BACKGROUND OF THE INVENTION[0002]In securing a network it is desirable is to implement a type of security throughout the infrastructure based upon the identity of a user and an association of that user to the network address that he is using. In the past, this has been unworkable for various reasons. Accordingly, there is a need for a scalable approach for associating data flows to individuals and groups at network policy enforcement points.[0003]Generally, there are four ways to define and implement an access security policy: Closed, Restrictive, Permissive, and Open. Under a Closed policy, all prospective users are denied access to the network. This policy is best implemented by eliminating the network connection of each prospective user, and is...

AI Technical Summary

Benefits of technology

[0025]The foregoing needs, and other needs and objects that will become apparent for the following description, are achieved in the present invention, which comprises, in one aspect, a method and apparatus for selectively enforcing network security policy using group identifiers. In one embodiment, the method involves creating and storing one or more access controls in a policy enforcement point that controls access to the network, wherein each of the access controls specifies that a named group is permitted or denied access to a particular resou...

Problems solved by technology

In the past, this has been unworkable for various reasons.

This policy is best implemented by eliminating the network connection of each prospective user, and is not normally practical to implement.

This approach has limited applicability; although ACLs may be placed to limit access to destinations, the approach is inflexible because users and their machines normally move around within an enterprise.

The second approach, providing dynamic access controls with mobility, may involve implementing the policy model that is now under development by the Internet Engineering Task Force (IETF), but may have a scalability problem to be effective.

In the first sub-approach, a small process effort is required but the approach is relatively inefficient.

Thus, neither sub-approach is fully satisfactory.

A permissive policy usually takes fewer access control elements, but may not always cover all cases in a dynamic environment.

However in a restrictive environment, that server would not be on the list of servers that would have access to until the administrators placed it there.

If they are not, then the policy enforcement will fail and security may be breached.

Thus, the first sub-approach involves significant scalability problems.

In a large network, this could add a very significant amount of traffic.

Further, the memory required to hold the Access-Control elements for each of these users in a large network would be substantial and may fill all available memory in the PEPs.

However, if the topology information is incorrect, or if there are resiliency mechanisms that are not accounted for in the topology, then there may be a coverage hole left that can be exploited.

As a result, the utility of this approach is limited by the ability of a network to define such VLANs at or carry such VLANs to every point a new user might access them.

Coordinating the existence and membership of such VLANs at every network switch becomes complicated.

The scalability limitations of this method become particularly apparent when used in networks that are highly geographically diverse or on networks that support broadcast or multicast based applications.

Having each of these groups in a VLAN on a switch (with dynamically add-able IP addresses per port) would waste address space.

The application of the static rules adds greatly to the complexity of the administration.

This over-booking of address ranges on a single switch is extremely wasteful of addresses.

This is poor for network administration, but is especially worse for the validation of a security policy.

However, in general, this mechanism is exclusively used to control access to files and resources on Unix systems and cannot be effectively used to control access to network resources.

Images